IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

Tom Haynes <loghyr@gmail.com> Thu, 03 May 2018 00:12 UTC

Return-Path: <loghyr@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7B8B127275 for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 17:12:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WLUbUdd8TSMk for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 17:12:15 -0700 (PDT)
Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C10A8127078 for <nfsv4@ietf.org>; Wed, 2 May 2018 17:12:15 -0700 (PDT)
Received: by mail-pf0-x232.google.com with SMTP id b26so404111pfi.10 for <nfsv4@ietf.org>; Wed, 02 May 2018 17:12:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6KSDdAJuxoKImfgGUT/k+wsU//ebiiMEryzj391cJPA=; b=NA1TF8VpcDrcmVcxwA0qGYlegNdka93Fh1hBJXui5g+Vz2yzzlIULPwCQlNDuyx9ih 75oo3tKAR05Mmk7UEgswe1Mcf7Xc7k/x7Xqf27s7U10uNExIV1B0SynhlrSMYp+Oj7h0 gm+qnnP6lJNM65FYKKqmyCmoOjIq5iDafbGi9Zrgicd9wkODu/Au56dw5Z366/mrjlZ4 MEk/q0MPicxZEY04NnQOyKkg9GWl1Ua4Bw5daFDAoodnbUdwpoXMAvIJZ+IgZb1XoWHU XcbbRapS3o7uJGRVswUlMdQ3JVNEyURgW6b4mIdQleIjNpTbjzzjuQYFrxkfDXI9I8CR 1XAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6KSDdAJuxoKImfgGUT/k+wsU//ebiiMEryzj391cJPA=; b=qFOb3a+8nM39wA/0g4HVtm+2tWL702SXDlGm67zaSREe9GKc1Z2hrnPfN8UULoVmw3 SkP8sEGciYhUD/8gMlHUhZcxCZhh4loEXc46CYlFjxMTq/U/6fa53GrW+yeiwWb6MDCk IbJKrFGp57bBlm79CM+f9B9oEj2ZRWobMVBMoVgqD5Sc33SqHhyNkO63+8Ym2QmF6Lwl oiPTZCF99kuD4yIqna4fVzg7YsQbS+P4mh0L9lC++dM5feXEnkjM27BibZL2VMu7zPTo xyYaKaEIJcC0loUyP7f/lGd+dRLuUvFeBThzt+yauXRwwpK/VXsTSYP+XXqs8TOVNqON ifxA==
X-Gm-Message-State: ALQs6tC6pVrFEptkyJa44cbzJUtllPvwpF31GEsWbgn2LCswyaFqrqLT 5X3nEdDqsfAxvMMOO7mOo6g=
X-Google-Smtp-Source: AB8JxZprJo9LoCGJrxMn3X1tTXK3WP7Efjl2V1cseRZr62viyCPJWQVp7NyeR51lBNsnrIrYaAgUCw==
X-Received: by 2002:a17:902:8692:: with SMTP id g18-v6mr21932934plo.152.1525306335306; Wed, 02 May 2018 17:12:15 -0700 (PDT)
Received: from ?IPv6:2600:380:8661:b41:d5b8:5676:ce7c:6c31? ([2600:380:8661:b41:d5b8:5676:ce7c:6c31]) by smtp.gmail.com with ESMTPSA id t23-v6sm22395453pgu.41.2018.05.02.17.12.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 May 2018 17:12:14 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Tom Haynes <loghyr@gmail.com>
X-Mailer: iPhone Mail (15E302)
In-Reply-To: <7898FB59-A717-47E4-AF9B-38720EF40E56@oracle.com>
Date: Wed, 02 May 2018 17:12:13 -0700
Cc: "Quigley, David" <david.quigley@intel.com>, Spencer Shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AEEFCC10-2709-4F03-9C9B-49580D518B46@gmail.com>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com> <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com> <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com> <106AF901BBB25B4082BCE4FEC2F79D440627CF0A@ORSMSX108.amr.corp.intel.com> <7898FB59-A717-47E4-AF9B-38720EF40E56@oracle.com>
To: Chuck Lever <chuck.lever@oracle.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/_P-cXqwg95d-Sbi-kQf-4DLTMt8>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 00:12:18 -0000

Hey Chuck,

For some reason I thought you were describing what Linux was doing, not something new...

But yeah, David is right, only one LFS is going to work.

I’ll have to check if xattrs allows for system atttrs, but if it does, why can’t you use them?

Tom

> On May 2, 2018, at 4:27 PM, Chuck Lever <chuck.lever@oracle.com> wrote:
> 
> 
> 
>> On May 2, 2018, at 7:10 PM, Quigley, David <david.quigley@intel.com> wrote:
>> 
>> Hi Chuck,
>> 
>> I'll address each thing in turn since outlook doesn't seem to like inline commenting
>> 
>> I would say there is a prohibition on it as it was the only reason we went down the sec_label route in the first place. The initial proposal was to have xattrs on nfsv4 and put the security label in there. We designed the sec_label attr for MAC labels and the LFS specification is also explicitly for MAC Labels. We explicitly state that FATTR4_SEC_LABEL is a MAC Security Attribute in the 4.2 specification. This field is called sec_label which is kind of unfortunate name as it was intended to represent security labels in the traditional orange book sense.  It is not intended for arbitrary security related data. It is an access control field not an integrity field. Using it as a blob store for integrity data is similar to the pushback I received from Trond when I wanted to put this data in xattrs to begin with.
>> 
>> I also said I could see why you'd want to use it for capability data but to be honest capabilities should have their own mechanism just like how they do in Linux today. Its unfortunate that all of this is stores in xattrs on Linux because it really shouldn't be. The initial version of SELinux had new system calls for getting and setting security related information. It was only because the way of handling things at the time was to extend interfaces through the file system and psudo filesystems that SELinux and IMA look the way they do today. If you look at other systems that did it properly (FreeBSD) they introduced proper syscalls for all of this.
>> 
>> With respect to the three LFS numbers they are only supposed to cover data in the sec_label attribute. Do you only intend on storing one of the three in the attribute? How is this supposed to work? If you have a setfattr with an IMA LFS encoded attribute and then an EVM encoded attribute it would just overwrite it. You wouldn't be able to store them independently with the one attribute as it is unless I am misunderstanding something.
> 
> Let's dive into this one for a moment.
> 
> Are you saying that a file is allowed only one NFSv4 security label at a time,
> similar to the way a file can have only one NFSv4 ACL?
> 
> If that's the case, then NFSv4 security labels are not going to work at all,
> and we'll have to create a separate purpose-built mechanism for each of these
> objects. Obviously we do need to store an ACL and an SELinux label and IMA
> metadata and file capabilities separately.
> 
> 
>> I will have to look at what was done with the final implementation that made its way into the Linux kernel but the sec_label attribute is supposed to be limited to one value per file. It is not supposed to be a multiplexed attribute based on the LFS. Security labels in a MAC sense are explicitly one value per file.
>> 
>> I will give it a closer read tonight and look at the implementation in the Linux Kernel. However it was not intended that if you do serfattr with two different lfs that you would store two different values.
>> 
>> Dave
>> 
>> -----Original Message-----
>> From: Chuck Lever [mailto:chuck.lever@oracle.com] 
>> Sent: Wednesday, May 2, 2018 4:51 PM
>> To: Quigley, David <david.quigley@intel.com>
>> Cc: Tom Haynes <loghyr@gmail.com>; Spencer Shepler <spencer.shepler@gmail.com>; NFSv4 <nfsv4@ietf.org>
>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
>> 
>> Hi David-
>> 
>>> On May 2, 2018, at 6:36 PM, Quigley, David <david.quigley@intel.com> wrote:
>>> 
>>> I can understand wanting to use the sec_label field for capabilities but using it for the IMA and EVM data isn’t really in the spirit of what we designed this for. Those are integrity mechanisms and on Linux systems they are completely separate from the LSMs (access control is not integrity).
>> 
>> Yep, I get that, but I don't see a functional problem here. It seems like an artificial constraint to say that we can't store IMA metadata in a generic security label, and I don't see any explicit prohibition to doing so laid out in the existing RFCs (if there is one, please point it out).
>> 
>> You can make a similar argument about file capabilities, which are not MAC security. Should they be excluded from using a security label for this reason?
>> 
>> 
>>> Also having them as 3 different LFS ids make no sense. The LFS is supposed to describe the format of what you are sending and receiving for the sec_label field. Unless something changed in the last rounds of revisions to the sec_label support there should only be one value per file?
>> 
>> A file can have capabilities associated with it, a security.ima xattr, and a security.evm xattr. All three are separate objects and can change independently of each other. Capabilities and IMA are not at all related to each other, so at least these two need separate LSF numbers.
>> 
>> 
>>> Also something to consider is that Nico explicitly separates capabilities from MAC labeling in in RPCSECGSSv3. This is because traditionally capabilities and MAC systems are orthogonal to each other. I know file capabilities are different from the regular capabilities on processes in Linux but it is something to consider that on a normal Linux system they can co-exist and be enforced at the same time. With this mechanism you couldn’t support both SELinux and file-capabilities at the same time like you could on a local system.
>> 
>> Implementations can store the content of each LSF in separate xattrs, or so it appears from my brief audit of the Linux implementation. I don't see anything that prevents storing an SELinux label in one xattr, file capabilities in a second xattr, and IMA metadata in a third xattr.
>> 
>> 
>>> I will be able to provide better feedback once I’ve read through the document another couple of times but those are my initial impressions just from a sec_label and LFS perspective. 
>> 
>> Thanks for looking!
>> 
>> 
>>> Dave
>>> 
>>> From: nfsv4 [mailto:nfsv4-bounces@ietf.org] On Behalf Of Tom Haynes
>>> Sent: Wednesday, May 2, 2018 3:30 PM
>>> To: Chuck Lever <chuck.lever@oracle.com>; Spencer Shepler 
>>> <spencer.shepler@gmail.com>
>>> Cc: NFSv4 <nfsv4@ietf.org>
>>> Subject: Re: [nfsv4] New Version Notification for 
>>> draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
>>> 
>>> Hey Chuck,
>>> 
>>> For the most part, my issues are the ones common to first drafts.
>>> 
>>> And Spencer S,
>>> 
>>> Can we nominate this as official WG document? It is mature enough and on point with the earlier LFS work.
>>> 
>>> Thanks,
>>> Tom
>>> 
>>> Abstract
>>> 
>>> NFS version 4.2
>>> Need to define NFS first.
>>> 
>>> Introduction
>>> 
>>> Before specifying new protocol,
>>> ->
>>> 
>>> Before specifying a new protocol,
>>> —
>>> 
>>> (hereafter, IMA)
>>> (hereafter, EVM)
>>> drop the hereafters
>>> 
>>> —
>>> 
>>> This is done by cryptographically signing HMAC please introduce HMAC
>>> --
>>> RSA public key signature
>>> Please define RSA
>>> 
>>> ——
>>> 
>>> The goals and use cases of the Linux Integrity Measurement
>>> Architecture (IMA) are presented in further detail in [IMA-WP].
>>> Already have defined IMA
>>> 
>>> —
>>> 
>>> with the
>>> superuser
>>> What is a superuser?
>>> 
>>> ——
>>> 
>>> You then have four bullet points, which as they are complete sentences should end with ‘.’
>>> 
>>> —
>>> 
>>> execve(2)
>>> 
>>> need a citation (probably to POSIX)
>>> 
>>> ===
>>> 
>>> Section 3
>>> 
>>> Linux file capabilities
>>> becomes
>>> a capability set
>>> without motivating the connection.
>>> 
>>> =====
>>> 
>>> LFS
>>> 
>>> not introduced.
>>> 
>>> ====
>>> 
>>> MAC
>>> 
>>> not introduced
>>> 
>>> —
>>> 
>>> In order to enable file capabilities to be retrieved or updated in a
>>> single RPC, the text format representation of a capability set MUST
>>> NOT exceed 8192 bytes in length.
>>> 
>>> In order to enable IMA metadata to be retrieved or updated in a
>>> single RPC, a signed hash MUST NOT exceed 4096 bytes in length.
>>> Why the restrictions? Is it a matter of the length of the compound?
>>> 
>>> ——
>>> 
>>> a Merkle
>>> citation?
>>> 
>>> ——
>>> 
>>> An NFSv4 server is required to enforce a suitable level of privilege
>>> before allowing a local or remote agent to alter NFSv4 Security
>>> Labels.  Consult Section 9.6 of [RFC7862] for further details.
>>> 
>>> Is the last sentence a sentance?
>>> 
>>> ——
>>> 
>>> Therefore additional protection using GSS
>>> [RFC7861] or other security mechanisms is not mandatory.
>>> 
>>> Either define GSS or perhaps say RPCSEC_GSS?
>> 
>> --
>> Chuck Lever
>> 
>> 
>> 
> 
> --
> Chuck Lever
> 
> 
>

v2.23.0 | Report a Bug | By Email